Top Banner
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington
29

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Feb 25, 2016

Download

Documents

nusa

Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation. Dane Brandon, Hardeep Uppal CSE551 University of Washington. Overview. Motivation Trusted Computing and Trusted Platform Modules (TPM) Trusted Software Stacks Attestation Measurements - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Trusted Platform Modules: Building a Trusted Software Stack and Remote AttestationDane Brandon, Hardeep UppalCSE551University of Washington

Page 2: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

OverviewMotivationTrusted Computing and Trusted

Platform Modules (TPM)Trusted Software StacksAttestationMeasurementsFuture Work and Conclusion

Page 3: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

MotivationAn End to the Middle

◦Our ongoing research.◦Networked computers and trust.◦How can we validate a computer?◦Even with a password, can we trust

they are who they say they are?

Hardware offers a potential solution…

Page 4: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Trusted Computing and TPMsTrusted Computing Group

◦Spec for TPM and trusted software stack.

TPM - Hardware chip on most new business laptops and some other PCs.◦Dell Latitude, Lenovo ThinkPad, etc…

Offers some help that software can’t.

NOT protection against physical attacks.

Page 5: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

TPM Functionality

Page 6: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

TPM FunctionalityPersistent memory

◦Endorsement key (EK) Permanent private unique key

◦Storage Root Key (SRK) Encrypts other keys, data with pub key out

to disk.Volatile memory

◦Platform Configuration Registers (PCR)◦Attestation identity keys◦Storage keys

Page 7: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

TPM FunctionalityCrypto-processor

◦RSA key generator◦Random number generator◦Encryption / decryption◦SHA-1 hash and append

PCRs are append only. PCR[i] = SHA-1(PCR[i] | new value)

Page 8: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Trusted Software StacksCore root of trust for

measurement (CRTM).◦Boot block in BIOS. Never changes.

Chain of trust.◦Each software component measures

the next.◦Append measurements to PCRs.

TrustedGRUBTrouSerS (TSS API)

Page 9: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Trusted Software Stacks

Page 10: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

AttestationWe have a snapshot of state

which can be signed.How do we deliver it?We can’t just send it over…

◦Replay attacks

Page 11: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

AttestationWe have a snapshot of state

which can be signed.How do we deliver it?We can’t just send it over…

◦Replay attacks

Page 12: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

AttestationUse a nonce

◦When request to join comes, challenge with a random number.

◦Append to PCRs and sign. Funky fresh.Note: Measurements only represent

state immediately after boot.◦No guarantees of events after boot!

Still need to prove that the TPM is a TPMCertificate Authority

◦Validate TPM

Page 13: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

AIKAIKEKEK

EK AIK

Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 14: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

AIKAIKEKEK

EK AIK

Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 15: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

AIKAIKEKEK

EK AIK

Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 16: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

AIKAIKEKEK

AIK

Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 17: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

AIKAIKEKEK

AIK

Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 18: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

?AIKAIKEKEK

Challenge!AIK

Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 19: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

02895…

AIKAIKEKEK

AIK

Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 20: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

10110…

AIKAIKEKEK

AIK

Append nonce and sign PCRs with priv_AIK

Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 21: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

10110…

AIKAIKEKEK

AIKAIK

Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 22: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

AIKAIKEKEK

AIK

10110…

AIK

Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 23: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

AIKAIKEKEK

AIK

10110…

AIK

Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 24: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Attestation

AIKAIKEKEK

AIK

10110…

AIK

Verify bits match:SHA-1(expected PCRs |

nonce)SUCCESS!Privacy CA

Trusted Nodes

New Node

Manf.Cert.

PCA Cert.

Page 25: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

MeasurementsVerify

PCRvalues change

Page 26: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Measurements

Time in seconds

Extends are fastCreating keys is very slowLoad and sign, not too bad…

Page 27: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Future WorkCreate a privacy CA.Implement complete attestation

process and benchmark major components.

Put Xen in the middle of the chain of trust.

Add trusted software stack to ETTM project.

Page 28: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

ConclusionTPMs show promise.Building a trusted software stack

is possible with open-source software.

Time cost not negligible, but reasonable.

Hardware should get better.Need more software support.

Page 29: Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation

Other ThoughtsLots of laptops have TPMs, no

one uses them.TrustedGRUB has 5400+ extra

lines of code. We didn’t write them.

The Dell Latitude e5400 is garbage.◦Two thumbs down!


Related Documents
attestation faurecia2

attestation faurecia2

Category: Documents
AUDITING AND ATTESTATION CHAPTER 1 - Rigos AND ATTESTATION Chapter 1.pdf · AUDITING AND ATTESTATION CHAPTER 1 ... AUDITING AND ATTESTATION CHAPTER 1 ... for periods ending on or

AUDITING AND ATTESTATION CHAPTER 1 - Rigos AND ATTESTATION.....

Category: Documents
PRACTICAL RESULTS: ATTESTATION, REMOTE ATTESTATION, CONFINEMENT … ·  · 2016-07-18practical results: attestation, remote attestation, confinement and network acceleration technologies

PRACTICAL RESULTS: ATTESTATION, REMOTE ATTESTATION,...

Category: Documents
Trusted Ticket Systems and Applications - Fraunhofersit.sit.fraunhofer.de/smv/publications/download/TC_Ticket_systems.pdf · attestation, two protocols are ... is generated by a sound

Trusted Ticket Systems and Applications -...

Category: Documents
Trusted Platform Modules: Building a Trusted Software Stack and Remote Attestation Dane Brandon, Hardeep Uppal CSE551 University of Washington.

Trusted Platform Modules: Building a Trusted Software Stack....

Category: Documents
Portable Tpm Based User Attestation Architecture for ... · Portable Tpm Based User Attestation Architecture for ... Platform Module (TPM), a trusted computing group ... reassuring

Portable Tpm Based User Attestation Architecture for ... ·...

Category: Documents
Trusted Computing Use Cases and the TCG Software Stack (TSS … · • Customers begin to understand trusted computing value. ... Specific Key Use Model: Key Sealing TPM Processor

Trusted Computing Use Cases and the TCG Software Stack (TSS....

Category: Documents
Oracle Integrated Stack— Complete, Trusted Enterprise ... · Oracle Integrated Stack—Complete, Trusted Enterprise Solutions 2 Oracle’s Complete Hardware and Software Stack Many

Oracle Integrated Stack— Complete, Trusted Enterprise...

Category: Documents
Trusted Content Storage (TCS Stack) Secure Resource ...

Trusted Content Storage (TCS Stack) Secure Resource ...

Category: Documents
Trusted Content Storage (TCS Stack)

Trusted Content Storage (TCS Stack)

Category: Documents
Starke Identität und Sicherheit von IoT Geräten · Starke HW-Identität und Attestation via Trusted Platform Module (TPM) Steffen, 16.05.2018, Innovationstagung.pptx 6 Trusted Network

Starke Identität und Sicherheit von IoT Geräten · Starke...

Category: Documents
TCG - Trusted Computing Group · AES . Advanced Encrypting System (aka RijnDael) Attestation . The process of vouching for the accuracy of information. External entities can attest

TCG - Trusted Computing Group · AES . Advanced Encrypting....

Category: Documents